Hackers obtained user data from Twilio-owned 2FA authentication app Authy

Pierluigi Paganini July 04, 2024

Twilio states that threat actors have identified the phone numbers of users of its two-factor authentication app, Authy, TechCrunch reported.

Last week, the notorious hacker ShinyHunters claimed to have stolen 33 million phone numbers from Twilio. This week the messaging firm told TechCrunch that “threat actors” identified data of Authy users, a two-factor authentication app owned by Twilio, including their phone numbers.

Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.

The company has more than 5,000 employees in 17 countries, and its revenues in 2021 are US$2.84 billion.

A company spokesperson told TechCrunch that the hackers obtained the data from an unauthenticated endpoint. The company confirmed it has already secured the vulnerable endpoint.

Twilio stated there is no evidence that the threat actors accessed its systems or other sensitive data. As a precaution, the company is urging all Authy users to update their Android and iOS apps and remain vigilant against phishing and smishing attacks.

“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.” reads a security update published by the company. “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”

In August 2022, Twilio disclosed a data breach, threat actors had access to the data of some of its customers. The attackers accessed company systems using employee credentials obtained through a sophisticated SMS phishing attack.

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.” Twilio said over the weekend.” reads the incident report published by Twilio.

The company did not disclose the number of affected employees and customers.

In October 2022, the Communications company announced that it suffered another “brief security incident” on June 29, 2022, the attack was conducted by the same threat actor that in August compromised the company and gained access to customers’ and employees’ information.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ShinyHunters)

you might also like

leave a comment